unable to generate self signed certificate on secondary ISE Identity Services Engine node

ottavio.corsini · ‎01-15-2015

certificate has expired,

we can generate a new one on the primary node

not on the secondary node that fails

with

"internal error - please ask your Administrator to review the error logs."

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
   at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
   at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
   at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
   at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
   at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
   at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
   at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
   at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
   at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
   at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
   ... 71 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
   at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
   at sun.security.validator.Validator.validate(Unknown Source)
   at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
   at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
   at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
   ... 83 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
   at java.security.cert.CertPathBuilder.build(Unknown Source)
   ... 89 more
2015-01-15 10:27:09,270 ERROR 2015-01-15 10:27:09,270 [http-443-15][] cpm.admin.infra.action.LocalCertAddAction- Unable to import certificate : com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: com.cisco.cpm.nsf.api.exceptions.NSFEntityTypeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2015-01-15 10:27:22,019 INFO 2015-01-15 10:27:22,019 [http-443-17][] cpm.admin.infra.action.TimeSettingsAction- retrieve server status: SEC(A), SEC(M)

nspasov · ‎01-16-2015

What version and patch level of ISE are you running?

Thank you for rating helpful posts!